Perform a questionnaire-based post incident review

Perform a questionnaire-based post incident review

Perform a questionnaire-based post incident review

Either during security incident creation or when you are working with an existing
security incident, you may decide that a review of the security incident is needed to
describe what happened, to help determine why the incident occurred, and identify how it can
be avoided or handled in the future.

Before you begin

Before you can actually perform a post incident review, you must change the state of
the security incident to Review, and the Close
code and Close notes fields under the
Closure information tab must be completed.

Role required:
sn_si.admin, sn_si.manager, sn_si.agent

Note: Any user can participate in a post
incident review questionnaire, regardless of role.

About this task

A post incident review helps to automate the collection of information from everyone
involved with a given security incident. When the review is complete, the post
incident report is automatically generated to compile all of the information related
to the security incident, as well as all responses to the post incident review, into
an initial draft that you can edit and complete.

Procedure

Create a security
incident, or open an existing one by navigating to Security > Incident, and selecting Created by me,
Open, All, and so forth.

Click the Post Incident Review tab, and fill in the
fields, as appropriate.

Field

Description

Post incident review required

Select this check box to indicate that a post
incident review is required for this security
incident.

Post incident review assignees

The reviewer list defaults to the individual in the
Assigned to field, but you
can click the lock icon to add other users to the review
list. After the field is unlocked, options are available
for adding or removing multiple users or entering user
email addresses. When you have completed your entries,
click the lock icon to lock the field.

Post incident report

Leave the text editor box empty for now. Any text you
enter prior to the report being generated will be lost
after the report is generated.

Click Update.

Each of the users in the review list receives an initial email
notification, as well as reminders as the due date nears. When each user opens
the questionnaire, the questions shown are drawn from all categories that fit
this security incident. If new users are added to the review list before the due
date is reached, they are sent notifications when the security incident is
saved.

When the last of the users in the review list have completed the questionnaire,
the Post incident report box is automatically populated
with the post incident report.

You can edit the report using the text editor.

Note: If, for any reason, you need to re-generate the report, you can do so by
clicking the Format Post Incident Report button. Be
aware, however, that any edits you manually made in the report will be
overwritten. All edits should be performed prior to closing the security
incident.

When you have completed your edits, change the state of the security incident
to Closed. This locks the security incident, including
the post incident review, preventing further changes.